Cisco firewalls under attack – and there's no patch: Too many SIPs and they drown in data

Cisco says miscreants are actively exploiting a SIP vulnerability in its networking gear that it disclosed on Wednesday.

The bug, CVE-2018-15454, lies within code in some Adaptive Security Appliances, and its Firepower Threat Defense software, that handles Session Initiation Protocol (SIP) packets. SIP is the signalling protocol used in IP telephony.

The advisory warns that an attacker can hose a vulnerable system offline “by sending SIP requests designed to specifically trigger this issue at a high rate.”

If your network is being attacked this way, you'll see a large number of incomplete SIP connections per second, viewed with the show conn port 5060 command. Meanwhile, show processes cpu-usage non-zero sorted will show high CPU utilization. If an affected unit crashes, there will be an “unknown abort of the DATAPATH thread” error message, the advisory added.

Since Switchzilla doesn't have a patch ready yet, sysadmins are advised to implement a variety of mitigations:

Disable SIP inspection if it's not needed;

Block hosts seen sending attack traffic;

Filter the “sent-by” address 0.0.0.0, because Cisco says the attacks it observed used that (invalid) address as the source;

Rate-limit SIP traffic.

Vulnerable systems use Cisco ASA software 9.4 and later, and FTD software 6.0 and later, on a number of different hardware platforms: the 3000 Series Industrial Security Appliance, ASA 5500-X firewalls, the ASA Services Module in Catalyst 6500 switches and Cisco 7600 routers, the Firepower 2100 and 4100 appliances, the Firepower 9300 ASA security module, and two virtualised products, ASAv and FTDv. ®